Nmap Network Scanning

Usage and Examples

Chapter 7. Service and Application Version Detection

Usage and Examples

Before delving into the technical details of how version detection is implemented,
here are some examples demonstrating its usage and capabilities. To enable version detection, just add -sV to
whatever Nmap flags you normally use. Or use the -A option,
which turns on version detection and other
Advanced and Aggressive features later. It is really
that simple, as shown in Example 7.2.

This preceding scan demonstrates a couple things. First of all,
it is gratifying to see www.Microsoft.Com served off one of Akamai's
Linux boxes. More relevant to this chapter is that the listed service for
port 443 is ssl/http. That means that service detection first
discovered that the port was SSL, then it loaded up
OpenSSL and
performed service detection again through SSL connections to discover
a web server running AkamiGHost behind the encryption. Recall that -T4 causes Nmap to go faster (more aggressive
timing) and -F tells Nmap to scan only ports registered in nmap-services.

You can see here the way RPC services are treated, with the
brute-force RPC scanner
being used to determine that port 111 is
rpcbind
version 2. You may also notice that port 515 gives the service as
printer, but that version field is empty.
Nmap determined the service name by probing, but was not able to
determine anything else. On the other hand, port 953 gives the
service as “rndc?”. The question mark tells us that Nmap was not even
able to determine the service name through probing. As a fallback,
rndc is mentioned because that has port 953 registered in
nmap-services.
Unfortunately, none of
Nmap's probes elicited any sort of response from rndc. If they had,
Nmap would have printed a service fingerprint and a submission URL so
that it could be recognized in the next version. As it is, Nmap
requires a special
probe. One might even be available by the time you
read this. the section called “Community Contributions” provides details on writing your own probes.

It is also worth noting that some services provide much
more
information than just the version number. Examples above include
whether X11 permits connections, the SSH protocol number, and the
Apache module versions list. Some of the
Apache modules even had to be cut from the
output to fit on this page.

A few early reviewers questioned the sanity of running services
such as SSH and finger over SSL. This was actually just fun with
stunnel, in part to ensure that parallel SSL scans actually work.